13. A note about FTP Connection Issues
######################################
It is important when using an SPI firewall to ensure FTP client applications
are configured to use Passive (PASV) mode connections to the server.
On servers running Monolithic kernels (e.g. VPS Virtuozzo/OpenVZ and custom
built kernels) ip_conntrack and ip_conntrack_ftp iptables kernel modules may
not be available or fully functional. If this happens, FTP passive mode (PASV)
won't work. In such circumstances you will have to open a hole in your firewall
and configure the FTP server to use that same hole.
For example, with pure-ftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/pure-ftpd.conf and then restart pure-ftpd:
PassivePortRange 30000 35000
For example, with proftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/proftpd.conf and then restart proftpd:
PassivePorts 30000 35000
FTP over SSL/TLS will usually fail when using an SPI firewall. This is because
of the way the FTP protocol established a connection between client and server.
iptables fails to establish a related connection when using FTP over SSL
because the FTP control connection is encrypted and so cannot track the
relationship between the connection and the allocation of an ephemeral port.
If you need to use FTP over SSL, you will have to open up a passive port block
in both csf and your FTP server configuration (see above).
Perversely, this makes your firewall less secure, while trying to make FTP
connections more secure.

Application Examples

Connecting Remote Client

The following example shows how to connect a computer to a remote office network over PPTP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without need of bridging over EoIP tunnels)

Consider following setup

Office router is connected to internet through ether1. Workstations are connected to ether2. Laptop is connected to the internet and can reach Office router’s public IP (in our example it is 192.168.80.1).
First step is to create a user

PPTP client from the laptop should connect to routers public IP which in our example is 192.168.80.1.
Please, consult the respective manual on how to set up a PPTP client with the software You are using.

At this point (when pptp client is successfully connected) if you will try to ping any workstation form the laptop, ping will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up proxy-arp on local interface

After proxy-arp is enabled client can successfully reach all workstations in local network behind the router.

Site-to-Site PPTP

The following is an example of connecting two Intranets using PPTP tunnel over the Internet.

Consider following setup

Office and Home routers are connected to internet through ether1, workstations and laptops are connected to ether2. Both local networks are routed through pptp client, thus they are not in the same broadcast domain. If both networks should be in the same broadcast domain then you need to use BCP and bridge pptp tunnel with local interface.

Notice that we set up pptp to add route whenever client connects. If this option is not set, then you will need static routing configuration on the server to route traffic between sites through pptp tunnel.

Next step is to enable pptp server on the office router and configure pptp client on the Home router.

Stopping a DDOS (distributed denial of service attack) or DOS (denial of service attack) is no simple task. Frequently, these attacks become more than just a nuisance, they completely immobilize your server’s services and keep your users from using your website.

We’ve found a few common sense ways to help ease the pain of DDOS and/or DOS attacks. While no method is fool proof, we certainly can minimize the profound effect these attacks have on your users and subsystems.

Identify the Source

Good luck with that one. Many DDOS and DOS attacks are from roaming IP addresses. A distributed denial of service attack can come from many different IP addresses and it quickly becomes impossible for the Linux system administrator to isolate and confine each IP with a firewall rule.

Wikipedia does a great job of describing the various types of attacks here: http://en.wikipedia.org/wiki/Denial-of-service_attack. For the purpose of this tutorial, I’ll leave the research on the types of attacks up to you, and address the most common form that we’ve encountered over the years, the Apache directed DDOS or DOS attack.

Apache Based Attacks

Symptoms of the Apache DDOS or DOS attack:

Website(s) serve slow

You notice hanging processes

Apache Top tells you that the same IP address is requesting a system resource

The system resource continues to multiplex, causing more processes to spawn

Great software, rock solid, and plays nice with either APF or iptables. Install and configure the service in seconds using the commands below. Edit the .conf file to utilize whichever flavor of firewall you’d like to integrate it with. Set a few configuration settings and you’re done.

To Install (D)DosDeflate:

wget http://www.inetbase.com/scripts/ddos/install.sh

chmod 0700 install.sh

./install.sh

If it doesnt workout, its simple to uninstall too. To uninstall:

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos

chmod 0700 uninstall.ddos

./uninstall.ddos

So a few tools are outlined above. We’ve found that this will stop 90% of the attacks that are out there. Some nice firewall rules above your server (at the router or switch level) also help. Most of the time we can identify suspicious traffic before it even hits your servers, so a shameless plug here is probably in order.

I know, shameless.

Contact Us if you’d like to colocate your server with us, or if there is something more that we can help you with.

We enjoy the opportunity to discuss your challenges, it helps make all of us better.